[sudo-users] Disabling "sudo su" but allow everything else?
Patrick Spinler
spinler.patrick at mayo.edu
Mon Aug 2 16:33:48 EDT 2010
On 08/02/2010 02:14 PM, Paul Cantle wrote:
> Hi All,
>
> I'd also look to disable /bin/vi (without the /etc/sudoers flag by adding it to the RESTRICTED alias) as users will be able to shell out of vi by default and get a root shell anyway (which will kind of make !SHELLS irrelevant).
>
Be careful, this way madness lies.
Remember there's many programs that can spawn a shell, Some pages such
as less for instance. Certain editors (vi and emacs) and mail handlers.
The list goes on and on.
You'll either find yourself missing stuff, or rapidly back yourself into
a corner.
Worse, even if you catch all the system installed exceptions, *nothing*
prevents a user from doing:
cp /bin/sh_of_choice /some/writeable/directory/whee_i_have_privs
sudo /some/writeable/directory/whee_i_have_privs
A much better approach is to deny everything by default, and selectively
grant the few privs the user really needs. For instance, here's a setup
I might do on redhat for an apache server:
@group_to_priv ALL=(root) /sbin/service httpd *
@group_to_priv ALL=(root) sudoedit /etc/http.d/*.conf
@group_to_priv ALL=(root) /sbin/su - apache
-- Pat
More information about the sudo-users
mailing list